fix(status): keep plain json off security audit path

src/commands/status.command.ts

@@ -105,8 +105,9 @@ export async function statusCommand(
     await runStatusJsonCommand({
       opts,
       runtime,
-      includeSecurityAudit: true,
+      includeSecurityAudit: opts.all === true,
       includePluginCompatibility: true,
+      suppressHealthErrors: true,
       scanStatusJsonFast: async (scanOpts, runtimeForScan) =>
         await loadStatusScanFastJsonModule().then(({ scanStatusJsonFast }) =>
           scanStatusJsonFast(scanOpts, runtimeForScan),

src/commands/status.test.ts

@@ -721,8 +721,7 @@ describe("statusCommand", () => {
     expect(payload.sessions.recent[0].totalTokensFresh).toBe(true);
     expect(payload.sessions.recent[0].remainingTokens).toBe(5000);
     expect(payload.sessions.recent[0].flags).toContain("verbose:on");
-    expect(payload.securityAudit.summary.critical).toBe(1);
-    expect(payload.securityAudit.summary.warn).toBe(1);
+    expect(payload.securityAudit).toBeUndefined();
     expect(payload.gatewayService.label).toBe("LaunchAgent");
     expect(payload.nodeService.label).toBe("LaunchAgent");
     expect(payload.pluginCompatibility).toEqual({
@@ -736,6 +735,17 @@ describe("statusCommand", () => {
         byStatus: expect.objectContaining({ queued: 0, running: 0 }),
       }),
     );
+    expect(mocks.runSecurityAudit).not.toHaveBeenCalled();
+  });
+
+  it("includes security audit in JSON when all is requested", async () => {
+    mocks.hasPotentialConfiguredChannels.mockReturnValue(false);
+
+    await statusCommand({ json: true, all: true }, runtime as never);
+
+    const payload = JSON.parse(String(runtimeLogMock.mock.calls[0]?.[0]));
+    expect(payload.securityAudit.summary.critical).toBe(1);
+    expect(payload.securityAudit.summary.warn).toBe(1);
     expect(mocks.runSecurityAudit).toHaveBeenCalledWith(
       expect.objectContaining({
         includeFilesystem: true,